Transcript patterns & practices Enterprise Library

Enterprise Library
Cryptography Application Block
Scott Densmore
Software Design Engineer
Ron Jacobs
Product Manager
Microsoft Corporation
patterns & practices
Architecture Guidance for the Enterprise
Proven
Authoritative
Accurate
Actionable
Relevant
Based on field experience
Offer the best advice available
Technically validated and tested
Provide the steps to success
Address real-world problems based on customer scenarios
Available online:
Books available:
www.microsoft.com/practices
www.amazon.com/practices
Patterns
Atomic solutions to recurring
problems
D
A
D
Application Blocks
Reference
Architectures
Sub-system-level guidance for
common services
System-level guidance for
common customer scenarios
I
D
A
D
I
D
A
A
A
D
D
D
I
I
I
Guides
Guidance for broad horizontal topics such as security,
performance, deployment and operations
A
D
I
Agenda
Overview
What you must know to use the application
block
Defining your configuration
Creating an instance of the security provider
objects
Executing the methods
Getting beyond the surface
Selecting the right options for security
For really advanced users
Key extensibility points
Sound Familiar?
The need for developers to write application
code specific for the security mechanisms of the
deployment environment
Having to change application code to test in a
simplified security environment
Security Needs
A simple way of authenticating a user
The ability to determine what roles a user is in,
and determining if the user is authorized to
perform a task
The ability to read and write profile information
for a user
The ability to write the same application code
for different security providers
An easy way to adjust and validate the security
configuration settings
Security Application Block
Provides a consistent way to implement
common security scenarios for authentication,
authorization, roles and profiles irrespective of
the underlying security mechanism
Provider model makes it adaptable to specific
platform or security infrastructure systems
Supports the Configuration Console, allowing
easy configuration modifications and validation
Enterprise Library v1
Caching
Exceptions
Legend
Security
Data
Access
Logging
Dependency
Plug-in
Crypto
Configuration
Config
Tool
What you must know
...in 3 easy steps
Step 1: Define your
configuration
You will need an app.config (or web.config) file for your application
Use the Enterprise Library Configuration tool to create the configuration for the
Security Application Block
Use a post-build step to copy config files to the runtime directory
See http://www.ronjacobs.com/TipPostBuild.htm
Step 2: Create an Instance of
Security Provider
Enterprise Library Security Application Block uses the
Plugin [Fowler] pattern to create providers.
Allows us to support AD, Database, AzMan and other
providers
' Create the default authentication provider instance
Dim authProvider As IAuthenticationProvider =
AuthenticationFactory.GetAuthenticationProvider()
' Use a named instance to map to configuration
Dim authProvider As IAuthenticationProvider =
AuthenticationFactory.GetAuthenticationProvider("Authe
ntication Provider")
Step 3: Executing Security
Provider Commands
Authentication
Authenticate
Cache identity
Expire a session
Authorization
Determine if user is
authorized to perform a
task
Roles
Determine what roles a
user is in
Profiles
Read and write profile
information
NamePasswordCredential credentials =
new NamePasswordCredential(username, password);
bool authenticated = authProvider.Authenticate(credentials, out identity);
View/Application Share:
Demonstration of Security Block
[Live Meeting View/Application Share. Use Live Meeting > Edit Slide
Properties... to edit.]
Going deeper...
...this is where it gets interesting
Authentication
Authentication is the process of determining
caller identity. There are three aspects to
consider:
Identify where authentication is required in your
application. It is generally required whenever a trust
boundary is crossed. Trust boundaries usually
include assemblies, processes, and hosts.
Validate who the caller is. Users typically
authenticate themselves with user names and
passwords.
Identify the user on subsequent requests. This
requires some form of authentication token.
Strong Account Management
Policies
Does your application enforce strong passwords?
Do you restrict the number of failed login attempts?
Do you reveal too much information in the event of failure?
Do you enforce a periodic change of passwords?
Can you quickly disable accounts in the event of
compromise?
Does your application record login attempts?
Improving Web Application Security
Threats and Countermeasures
Chapter 4 – Design Guidelines for Secure Web Applications
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
Authentication Database
Provider
Uses Data Access Application Block for
database access
SQL script included for required schema
Uses Cryptography Application Block for hashing
passwords
Required if using supplied profile or roles
database provider
Configuring the Authentication
Database Provider
Using the Configuration Console
Configured
database
instance
Configured
hash
provider
Authenticating the User
Create authentication provider
IAuthenticationProvider authenticationProvider =
AuthenticationFactory.GetAuthenticationProvider(“MyProvider");
Create NamePasswordCredentials
NamePasswordCredential credentials = new
NamePasswordCredential(“JohnS”, “MyPassword”);
Call Authenticate
IIdentity identity;
bool authenticated =
authenticationProvider.Authenticate(credentials, out identity);
Authorization
Authorization determines what the
authenticated identity can do and the resources
that can be accessed. Improper or weak
authorization leads to information disclosure
and data tampering. Defense in depth is the key
security principle to apply to your application’s
authorization strategy
Authorizing End Users
Do you use a defense in depth strategy?
Which gatekeepers are used?
Do you use a role-based approach?
Do your roles provide adequate privilege
separation?
Improving Web Application Security
Threats and Countermeasures
Chapter 5 – Architecture and Design Review for Security
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
Authorization Providers
AzMan (Authorization Manager)
Requires Microsoft® Windows® 2000™ Server with
Service Pack 4, Microsoft Windows Server 2003, or
Windows XP SP1 with Windows Server 2003
Administration Tools Pack
Authorization Rule
Allows you to create simple rules that are evaluated
at runtime
Configuration Console provides a rule expression
editor
Rules are named and stored in the configuration file
Authorization Rules
Identities
Specific (for example, “Bob”)
Anonymous (?)
Any (*)
Roles
Specific (for example, “Managers”)
Any (*)
Operators
AND, OR, NOT and ()
Authorization Rules
I:Bob
Only a user with the identity Bob is authorized
((R:HumanResources OR R:GeneralManagers)
AND (NOT R:HRSpecialist))
Only users that are either in the HumanResources or
GeneralManagers roles and not in the HRSpecialist
role are authorized
Configuring the Authorization
Rule Provider
Using the Configuration Console
Rule
expression
Rule name
View/Application Share:
Demonstration of Rule Expression
Editor
[Live Meeting View/Application Share. Use Live Meeting > Edit Slide
Properties... to edit.]
Authorizing the User
Create authorization provider
IAuthorizationProvider ruleProvider=
AuthorizationFactory.GetAuthorizationProvider("RuleP
rovider")
Call Authorize
Accepts an IPrinciple and a rule name
bool authorized = this.ruleProvider.Authorize(principal,
“Hire Employee”);
Roles
The two basic authorization strategies are:
Role based. Access to operations (typically methods)
is secured based on the role membership of the
caller. Roles are used to partition your application’s
user base into sets of users who share the same
security privileges within the application.
Resource based. Individual resources are secured
using Windows ACLs. The application impersonates
the caller prior to accessing resources, which allows
the operating system to perform standard access
checks.
Roles
In the vast majority of .NET Web applications where
scalability is essential, a role-based approach to
authorization represents the best choice. For certain
smaller scale intranet applications that serve per-user
content from resources (such as files) that can be
secured with Windows ACLs against individual users, a
resource-based approach may be appropriate.
Building Secure Microsoft ASP.NET Applications
Chapter 3 – Authentication and Authorization
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp
Roles Providers
Active Directory®
Database
Uses Data Access Application Block for database
access
SQL script included for required schema
Out-of-box requires using supplied authentication
database provider (roles are tied to a userid in the
Users table)
Configuring the Roles
Database Provider
Using the Configuration Console
Configured
database
instance
Determining the Roles a User
is In
Create roles provider
IRolesProvider rolesProvider =
RolesFactory.GetRolesProvider("Roles Provider");
Get the Principal
Call IsInRoles
IPrincipal principal =
rolesProvider.GetRoles(this.identity);
bool isManager = principal.IsInRole(“Manager”);
Profiles
A profile is a flexible application defined
container for associating application specific
information with a user identity. A profile can be
any or all of the following:
A simple string or primitive type
A serializable object
A dictionary of primitives and serializable
objects. (all values are stored as strings in the
database).
Configuring the Profile
Database Provider
Using the Configuration Console
Configured
database
instance
Writing Profile Information
Create profile provider
IProfileProvider profileProvider =
ProfileFactory.GetProfileProvider();
Call SetProfile
Pass IIDentity of existing user
Pass object with profile information (e.g., serializable
class)
profileProvider.SetProfile(identity, profile);
Reading Profile Information
Call GetProfile
Pass IIDentity of existing user
Returns object with profile information
ProfileInformation userProfile =
profileProvider.GetProfile(identity) as
ProfileInformation;
The Security Cache
The application block allows you to cache the securityrelated information
The cached information is identified by a token (you
can specify, or the block will generate it)
An example of when you might want to obtain a
temporary token for an authenticated user is when you
want to improve the performance of your application,
by passing the token instead of frequently
authenticating the same token during a single user
session
Configuring the Security
Cache
Using the Configuration Console
Configured
cache
manager
Obtaining a Temporary Token
Create security cache
ISecurityCacheProvider cache =
SecurityCacheFactory.GetSecurityCacheProvider(“My
CacheProvider");
Call SaveIdentity
Pass IIDentity of existing user
Returns a token
IToken token = cache.SaveIdentity(this.identity)
Authenticating using a Token
Call GetIdentity
Pass token returned by SaveIdentity
Returns IIDentity or null
IIdentity savedIdentity = cache.GetIdentity(token);
if (savedIdentity != null)
{
// user is authenticated
}
else
{
// user not authenticated
}
Expiring a Token
Call ExpireIdentity
Pass token returned by SaveIdentity
cache.ExpireIdentity(token);
Key Extensibility Points
Custom security providers
Enhancing/expanding database providers
Plus…
Anything and everything – you have the source code!
Please post extensions and suggestions to the
community
http://workspaces.gotdotnet.com/entlib
Session Summary
Overview
What you must know to use the application block
Defining your configuration
Creating an instance of the security provider objects
Executing the methods
Getting beyond the surface
Selecting the right options for security
For really advanced users
Key extensibility points
Additional Resources
Improving Web Application Security
http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnnetsec/html/ThreatCounter.asp
Improving .NET Application Performance and Scalability
http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnpag/html/scalenet.asp
Application Architecture for .NET
http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnbda/html/distapp.asp
PatternShare.org
Enterprise Library Community
http://go.microsoft.com/fwlink/?linkid=39209&clcid=0x09
www.ronjacobs.com
Slides
Tech Tips
Podcasts
Announcing: Enterprise Library 1.0
http://www.microsoft.com/practices
Patterns and Practices Live!
Slides, Hands On Labs, On Demand Webcasts
Upcoming Live Webcasts
3/28 Building your own block
3/31 Enterprise Library Applied
4/12 Global Bank Baseline Architecture
4/14 Updater Application Block v2
http://www.pnplive.com
Questions and Answers
Submit text questions using the “Ask a
Question” button.
Don’t forget to fill out the survey.
For upcoming and previously live webcasts:
www.microsoft.com/webcasts
Got webcast content ideas? E-mail us at:
http://go.microsoft.com/fwlink/?LinkId=41781
Today's webcast was presented using Microsoft
Office Live Meeting. Get a free 14 day trial
http://www.microsoft.com/presentlive